If your business sends out regular e-newsletters, customer magazines or other communications, you will most likely have a database of recipients’ names, addresses (postal or email) and perhaps other information.
The new data protection rules under the GDPR introduce new requirements in terms of how you record and handle such information about your customers and other business contacts, and how you keep it secure. The new rules will apply to information you hold already, not just new information you gather after May 2018.
Consent and privacy issues
One major change is that under the GDPR, the rules on obtaining consent to store and use personal data will change. It will no longer be the case that ‘one consent fits all’. For example, if a customer in a clothes shop provides his or her email address and consents to receiving an electronic copy of their receipt, the clothes shop cannot use this email address to send out newsletters or promotion offers unless the customer has also agreed to receive these.
Consent must be freely given, specific, informed, properly documented and easy for people to withdraw. For example, it is no longer acceptable to use pre-ticked boxes on webpages which state that the information provided by a customer when placing an order will also be used for marketing purposes. This means your customers and other business contacts have to “opt-in” and explicitly agree to their data being used in a particular way.
Questions to consider
The GDPR introduces stringent penalties if businesses, charities and other data controllers cannot show they have complied with the rules on obtaining consent and properly using personal data. Organisations of all sizes need to review the way they manage data and consents from individuals.
Some questions you should consider include:
- do you have the right kind of consent from each of the people in your current database to comply with the GDPR?
- what do you need to tell people about your lawful basis for holding their personal data?
- are you clear about how, why and for how long you’re holding personal data?
- are you providing adequate ‘privacy notices’?
- how should you handle the ‘right to be forgotten’?
- if you outsource your marketing campaigns or database management to a data processor, what do you need to check?
- how do you report and manage a breach of the new rules, in order to minimise any legal and reputational consequences?
Our experienced team can support you on these issues and other practical questions around your data protection policies and procedures.
